Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Bug w/multiple recipients in one email de
  FAQ FAQ  Forum Search   Register Register  Login Login

Bug w/multiple recipients in one email de

 Post Reply Post Reply
Author
lyndonje View Drop Down
Senior Member
Senior Member
Avatar

Joined: 31 January 2006
Location: United Kingdom
Status: Offline
Points: 192
Post Options Post Options   Thanks (0) Thanks(0)   Quote lyndonje Quote  Post ReplyReply Direct Link To This Post Topic: Bug w/multiple recipients in one email de
    Posted: 28 March 2006 at 10:06am
Hi there, I think I've found a bug whereby a 3rd party sends an email to multiple recipients that are on different domains, where both recipient domains are both clients of ours, and have their own servers. The email in questions was sent to 2 users at domain 1, and 1 user at domain 2.

It looks as though SF has made a connection to the destination server of domain 1, and successfully passed the email to the 2 local users on that server, but it also looks as though its tried to pass the same email for the 3rd user to the first domains server, and received a user does not exist error.

03/28/06 09:39:11:805 -- (3444) Connection from: 'ip'  -  Originating country : United Kingdom
03/28/06 09:39:11:930 -- (3444) Resolving 'ip' - mail.host
03/28/06 09:39:11:976 -- (3444) - SPF analysis for mail.host done: - none
03/28/06 09:39:11:976 -- (3444) Mail from: sender@senderdomain
03/28/06 09:39:17:976 -- (3444) - MAPS search done...
03/28/06 09:39:17:976 -- (3444) RCPT TO: user1@domain1 accepted
03/28/06 09:39:18:039 -- (3444) Mail from: sender@senderdomain
03/28/06 09:39:18:039 -- (3444) RCPT TO: user2@domain1 accepted
03/28/06 09:39:18:086 -- (3444) Mail from: sender@senderdomain
03/28/06 09:39:18:086 -- (3444) RCPT TO: user3@domain2 accepted
03/28/06 09:39:18:273 -- (3444) EMail from sender@senderdomain to user1@domain1, user2@domain1, user3@domain2 passes Bayesian filter - 0% spam  (0ms)
03/28/06 09:39:18:289 -- (3444) EMail from sender@senderdomain to user1@domain1, user2@domain1, user3@domain2 was queued. Size: 2 KB, 2048 bytes
03/28/06 09:39:18:398 -- (3444) Disconnect
03/28/06 09:39:19:008 -- (1240) EMail from sender@senderdomain to user1@domain1, user2@domain1, user3@domain2  was forwarded to domains1s_destination_server_ip
03/28/06 09:39:19:008 -- (1240) Some recipients do not exist, sending NDR bounce to sender
03/28/06 09:39:19:008 -- (1240) EMail from: sender@senderdomain to: user3@domain2 was returned to sender - The following recipients are unknown: user3@domain2
03/28/06 09:39:19:164 -- (1240) Error-email from sender@senderdomain to user3@domain2 was forwarded to NDR_relay_server_ip


Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 28 March 2006 at 6:54pm
lyndonje,

SpamFilter delievers the email "as is" to the destination SMTP server. In this case, the single incoming email has recipients belonging to multiple domains. The "problem" is that the domains have different forwarding SMTP servers, but SpamFilter cannot "split" the email and deliver a copy to each of the servers responsible for each of the domains, all it can do it to take the first destination SMTP server and forward the email to it.
 
Unfortunately there is currently no workaround for this behavior. We may alter the way email is forwarded in the future to address this issue, but we don't have any estimates on when this will be available
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
lyndonje View Drop Down
Senior Member
Senior Member
Avatar

Joined: 31 January 2006
Location: United Kingdom
Status: Offline
Points: 192
Post Options Post Options   Thanks (0) Thanks(0)   Quote lyndonje Quote  Post ReplyReply Direct Link To This Post Posted: 29 March 2006 at 2:45am
In that case I can not make use of multiple destination servers. 

I think Microsoft call this type of a bug something like 'A known issue by design'

I guess I can do no more than ask you to put this on a ToDo list and wait.

Thanks.
Back to Top
WebGuyz View Drop Down
Senior Member
Senior Member


Joined: 09 May 2005
Location: United States
Status: Offline
Points: 348
Post Options Post Options   Thanks (0) Thanks(0)   Quote WebGuyz Quote  Post ReplyReply Direct Link To This Post Posted: 13 May 2006 at 11:04am

SF has a problem with multi-recipients in general.

IF a spammer sends an email to 10 users (same domain) in a single email and any one of those uses is whitelisted, all the recipients get the email.

We use AuthorizedTo lists and if a spammer sends a single email 10 users in the same domain, 9 bogus users and 1 user who is real and who happens to be whitelistedTo, then SF will send to all 10 users and 9 of them will bounce because they are invalid users.

Why doesn't SF recognize at least AuthorizedTo users. I think your handling of multi recipients needs to be re-evaluated. I know its hard to do, but its a pretty big hole and I have a few spammers who have figured it out and continually send spam lists with multi-recipients. They don't know why it gets thru, they just know its not being rejected and keep on sending it in that same format.



Edited by WebGuyz
http://www.webguyz.net
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 14 May 2006 at 11:42pm
If an email with multiple recipients arrives, the email is classified as spam, and one of the recipients is whitelisted, it is a difficult case to handle.

SpamFilter *has* to either output a "OK, message recieved" or an "Sorry, email rejected". Basicvally it has to respond "yes we'll deliver the message" or "problem, the message can't be delivered".

There cannot be a case when the email is delivered to some users and not delivered to others. The only solution would be for SpamFilter to accept the email, forward it to your SMTP server for the one recipient who is whitelisted, and then send NDR (non-delivery notifications) to the sender for the addresses to which it was not delivered. This however would create havoc, as SpamFilter would then send potentially tens of thousands of NDR emails per day to senders, who are often victim of email spoofing. Within days your IP address would be blacklisted by MAPS servers...

Please note that SpamFilter *MUST* send an NDR if an email is accepted but cannot be delivered. Part of what makes SpamFilter efficient is that it rarely generates NDR, as it will reject spam emails by outputting an error code to the sender, thus placing the burden of sending an NDR to them.

There is little choice but to behave as SpamFilter is doing. If an email comes in, and a recipient is whitelisted, the email must be received...

As far as the AuthorizedTo list is concerned, can you please explain more in detail what the problem is? In theory, when a sedner attempts to send an RCPT TO command to a recipient who is not in the AuthorizedTo list, they will be disconnected immediately, without being given a chance to "go fishing": of r other recipients. So as soon as a user is bogus, they will be disconnected, and the email should never go thru.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
sgeorge View Drop Down
Senior Member
Senior Member


Joined: 23 August 2005
Status: Offline
Points: 178
Post Options Post Options   Thanks (0) Thanks(0)   Quote sgeorge Quote  Post ReplyReply Direct Link To This Post Posted: 16 May 2006 at 9:28am
WebGuyz, regarding your problem with 1 receipient on your "unfiltered emails" list causing all recipients to receive the message, I have a suggestion that you may want to try:

Try removing whitelisteduser@yourdomain.com from the unfiltered emails list - and adding this to your AutoWhiteListForceDelivery.txt file:
*|whitelisteduser@yourdomain.com

I tested this as a work-around to that same problem (on a 2.7x build a few months back) and it did the trick.  Hopefully, it will still work on whichever version of SpamFilter you are currently running.

Stephen
Back to Top
WebGuyz View Drop Down
Senior Member
Senior Member


Joined: 09 May 2005
Location: United States
Status: Offline
Points: 348
Post Options Post Options   Thanks (0) Thanks(0)   Quote WebGuyz Quote  Post ReplyReply Direct Link To This Post Posted: 16 May 2006 at 12:07pm

Roberto,

  I sent a zip with an example of the failure of multi-recips and AuthorizedTo list. It has a zip attachment so if you don't get it check your spam filter.



Edited by WebGuyz
http://www.webguyz.net
Back to Top
corldless88 View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote corldless88 Quote  Post ReplyReply Direct Link To This Post Posted: 16 May 2006 at 5:14pm

HI,

I have too encountered this bug, and personally

think / suggest that Spamfilter should split message

to handle this special case. as it is fairly commonly found senario.

Thnaks

 

Back to Top
WebGuyz View Drop Down
Senior Member
Senior Member


Joined: 09 May 2005
Location: United States
Status: Offline
Points: 348
Post Options Post Options   Thanks (0) Thanks(0)   Quote WebGuyz Quote  Post ReplyReply Direct Link To This Post Posted: 16 May 2006 at 5:32pm

Whats bad is if the spammer crowd does not get a message rejection they score that as a win and will keep using that same set of recipients over and over again. We have a few cases where a handfull of people are always hit and because one lone user in that bunch insists on being unfiltered all the users in that same 8 recipient group get the spam even though only one user wants it.

And sgeorge, *|whitelisteduser@mydomain.com does not really help, users still do not get spamfiltered properly and spam that should have been caught gets on through.

http://www.webguyz.net
Back to Top
Marco View Drop Down
Senior Member
Senior Member
Avatar

Joined: 07 June 2005
Location: Netherlands
Status: Offline
Points: 137
Post Options Post Options   Thanks (0) Thanks(0)   Quote Marco Quote  Post ReplyReply Direct Link To This Post Posted: 17 May 2006 at 3:46am

just a thought: maybe SPF can treat the mail as spam all the way, but make it check if any of the recipients is "allowed" to receive the spam. if a match on one of the adresses is found, attach a new header to the mail with only *that* adress and send it on to the mail host.

I'm not sure if that is legal, since it is a form of tampering with mails (adding a new header in front of the existing mail), but maybe this could be a solution to this particular problem. Spammers know the effect of multiple recipients and, lame as they are, will not hesitate to abuse this mail feature. The need of the many should outweigh the need of the one is my opinion, smoking in public places is no longer allowed too.

Ofcourse adding a new header, and inserting the old header into the mailbody creates overhead for the SF box, not to meantion headaches for Roberto, but perhaps it is doable.

 

Marco

Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams
Back to Top
sgeorge View Drop Down
Senior Member
Senior Member


Joined: 23 August 2005
Status: Offline
Points: 178
Post Options Post Options   Thanks (0) Thanks(0)   Quote sgeorge Quote  Post ReplyReply Direct Link To This Post Posted: 17 May 2006 at 10:23am
Webguyz, sorry to hear that it didn't work!  I'm out of bright ideas..    
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 17 May 2006 at 7:58pm
Webguyz,

With your settings we were finally able to reproduce the behavior you see. This is something I should have caught sooner as we've seen it before, sorry.

The bayesian filter is causing the difference in behavior.

When using the AuthorizedTo whitelist, and when the *Bayesian filter is disabled*, SpamFilter will indeed forcibly disconnect the sender the split second they specify an invalid recipient. This is done so they do not have a chance to go fishing for more addresses. So far so good.

However if the Bayesian filter is enabled SpamFilter will need to receive all emails so that the filter can "learn" about what is spam and what isn't. As it needs to receive the email, SF cannot reject a recipient, it must accept them all so that the remote server can then send the email's body. The functionality of the Bayesian filter *requires* than all emails be received, so we have no choice here. As recipients are sent, if one of them matches an address in the "Unfiltered list", again we pretty much have no choice... If SF receives an email addressed to an email that is to be unfiltered, it needs to deliver it, thus the email is whitelisted.

We are now in a vey bad spot. An email that is spam and needs to be rejected, but an "unfiltered" users must receive it. SpamFilter MUST let the remote server know if it accepts or rejects the email. True or false, there is no in between. If SF rejects it, the unfiltered user will complain that his email was rejected even though he (the CEO...) required all his emails unfiltered. If SF accepts it, well... SF accepted spam and it's the current behavior. The alternative some users suggest is to "accept it for the unfiltered user, reject it for everyone else". But again, that is not possible as we must either send an OK code or an error code to the remote SMTP server. If we accept it, but configure SpamFilter to only deliver it to the unfiltered user, then we **MUST** inform the sender that the other recipients did not receive it. The *only* way to do that now, since the email was already accepted, is to send a NDR-non-delivery email to the sender. But now, once more, we have a huge problem as SpamFilter would be sending a kazillion NDR emails to bogus users (99% of the times the sender is fake), and will end up being blacklisted in a matter of days.

So... there is no solution to this. If using an AuthorizedTo list to define the existing users, and using an Unfiltered list to specify users who are to be unfiltered, and if using the Bayesian filter, the behavior see ns by design and will not / cannot change. Sorry...

As usual, if anyone has a solution that we did not think about, (and is practical to implement), we'll look into it.

PS - The only exception in the Bayesian filter needing to receive emails is when spammers try to use SpamFilter as an open relay - they are immediately disconnected if so.

Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 18 May 2006 at 12:20am
WOW!
Well,  if you add the tag option to the unfiltered list, will it still get tagged under the above sequence of events?  If yes, the users can still send the message to the bit bucket using their spam rules in their client software.  We tag all unfiltered entries so the users can do this.
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 18 May 2006 at 4:03pm
Yes, you're correct. Spam will be tagged in this case as such.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
vrspock View Drop Down
Newbie
Newbie
Avatar

Joined: 31 May 2005
Location: United States
Status: Offline
Points: 16
Post Options Post Options   Thanks (0) Thanks(0)   Quote vrspock Quote  Post ReplyReply Direct Link To This Post Posted: 18 August 2006 at 10:46am

I decided to try utilizing the information in this thread concerning the bayseian filter forcing email to be delivered to multiple recipients when one or more recipients is on our exclusion list and/or has a *|mailbox@domain entry in the autowhitelistforceddelivery file.

Turning of the "learn new emails" function in the bayseian filter seems to have done the trick...I think....we're seeing a lot more disconnects now when the emailauthorizedto list is violated.  Maybe this will help to block all those spams getting through because of multiple recipients.  We've been getting a huge amount of them here in the last few weeks.

Back to Top
WebGuyz View Drop Down
Senior Member
Senior Member


Joined: 09 May 2005
Location: United States
Status: Offline
Points: 348
Post Options Post Options   Thanks (0) Thanks(0)   Quote WebGuyz Quote  Post ReplyReply Direct Link To This Post Posted: 18 August 2006 at 10:54am
Originally posted by vrspock vrspock wrote:

Turning of the "learn new emails" function in the bayseian filter seems to have done the trick...I think....we're seeing a lot more disconnects now when the emailauthorizedto list is violated.  Maybe this will help to block all those spams getting through because of multiple recipients.  We've been getting a huge amount of them here in the last few weeks.

Keep us appraised please. We are plagued by this as well. Thanks!!

http://www.webguyz.net
Back to Top
StevenJohns View Drop Down
Senior Member
Senior Member


Joined: 03 August 2006
Status: Offline
Points: 119
Post Options Post Options   Thanks (0) Thanks(0)   Quote StevenJohns Quote  Post ReplyReply Direct Link To This Post Posted: 19 August 2006 at 5:50pm

Roberto,

with regard to your post on May 17th...

As SF needs to accept the email, and at least one recipient is "unfiltered", when the email is passed to the bayseian filter....is it learnt as ham or spam ????

 

Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 19 August 2006 at 6:16pm
ham...
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
StevenJohns View Drop Down
Senior Member
Senior Member


Joined: 03 August 2006
Status: Offline
Points: 119
Post Options Post Options   Thanks (0) Thanks(0)   Quote StevenJohns Quote  Post ReplyReply Direct Link To This Post Posted: 19 August 2006 at 6:36pm

oh, even though it's obviously spam ??

I would have thought that you would learn it as spam, but still deliver it to the unfiltered user.

Surely doing it the current way could render the baysian database useless, as it's learning spam as ham ?

 

Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 19 August 2006 at 7:05pm
Most whitelists are processed before any of the spam filters. Once a sender is whitelisted, all other filters are skipped (except the antivirus) and the email is delivered. SpamFilter thus has no idea if the email "would" be considered spam or not. This is by design and will not likely be changed in the future, as proceeding with filtering an email even though it's whitelisted will hurt performance.

Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
StevenJohns View Drop Down
Senior Member
Senior Member


Joined: 03 August 2006
Status: Offline
Points: 119
Post Options Post Options   Thanks (0) Thanks(0)   Quote StevenJohns Quote  Post ReplyReply Direct Link To This Post Posted: 19 August 2006 at 7:08pm

"hurt performance" .....  even at the expense of letting in spam?? Doesn't that defeat the whole idea of SF ??

 

Back to Top
vrspock View Drop Down
Newbie
Newbie
Avatar

Joined: 31 May 2005
Location: United States
Status: Offline
Points: 16
Post Options Post Options   Thanks (0) Thanks(0)   Quote vrspock Quote  Post ReplyReply Direct Link To This Post Posted: 20 August 2006 at 10:48am

So far so good webguys...I will hear a report from our end users on Monday, but from our logs it appears to be doing the trick:  Authorized To in combination with disabling the bayesian filter learning new emails and using *|mailbox for exlcuding accounts on the autowhitelistforceddelivery list.

What appers to happen is when a multiple-recipeint email comes in with a hit-or-miss list of mailboxes, typically the very first mailbox is an invalid one, the authorized to list gives its error and the session is immediately disconnected without further processing.  Also, we've set our blacklist cache and limbo settings to some very agressive settings.  We had already done this before trying to disable the bayesian filter as mentioned in this thread.  I'm not sure how doable these settings would be for those with a much higher volume of email coming through, but we have ours set to 3 failures within a 2-hour period lands you on our blacklist cache for 6-hours.  With all of the authroized-to failures dropping connections, our black list cache limbo is starting to become quite extensive, but our actual black list cache will typically only have 4 or 5 ip's at any given time, which confirms that the spam that has been getting through is hitting us from zombie machines.

I've only seen one or two spams getting through to my mailbox this weekend which is a significant drop from the past few weeks.

Back to Top
vrspock View Drop Down
Newbie
Newbie
Avatar

Joined: 31 May 2005
Location: United States
Status: Offline
Points: 16
Post Options Post Options   Thanks (0) Thanks(0)   Quote vrspock Quote  Post ReplyReply Direct Link To This Post Posted: 21 August 2006 at 5:52pm

We've still got some very persistant spam getting through....one appears to have been a connection from Korea that happen to hit a valid, excluded email address on the first try and had a field day with random from/to addresses from then on.  Managed to get quite a few spam to pass through and generate a bunch of NDR's when spam filter attempted to deliver the message to about 20 or so invalid mailboxes.  This was one of the pharmacuetical spams.

Since this causes a mass of NDR's to be generated anyhow when spam filter accepts an email that has 1 valid, excluded address and about 20 to 30 invalid addresses, what difference would it make if we just split the message and NDR the non-excluded addresses?  Either way, we are generating a bunch of bounce backs.  At least by splitting the message, only those on the exclude list are getting what they asked for while everyone else is still filtered.

Think I'm going to lower our acceptable number of CC's and see if that helps any. 

Back to Top
StevenJohns View Drop Down
Senior Member
Senior Member


Joined: 03 August 2006
Status: Offline
Points: 119
Post Options Post Options   Thanks (0) Thanks(0)   Quote StevenJohns Quote  Post ReplyReply Direct Link To This Post Posted: 21 August 2006 at 6:10pm

I have a solution which works for us, although Roberto will go nuts when he hears it !!!

I configure SF to not quarantine anything, but instead to tag and deliver. It then delivers the mail to IIS's SMTP server on the same box, which is configured to allow all domains. I then run a custom script in the OnArrival SMTP event which splits the email, sending it only to the recipients that either are "unfiltered" of specifically want email from the sender/domain. I then just abort delivery to the rest of the recipients, as they either dont exist, or don't want the spam. Therefore, the people who want the email get it, and the people who dont....dont. Also, as the email delivery gets aborted, no NDR's are generated.

Yes, Roberto, I hear you....I know you don't like splitting emails, and it's not strictly to the letter of the RFC, but if you won't do it, then I'll have to ...  ....talking of the RFC...I understand being in strict compliance....but the RFC has major failings. If they had got the RFC right in the first place, we wouldn't be getting this spam now....

 

For the rest of you....this custom script includes a bunch of code that needs to remain confidential, but I'll try to pull out the relevant parts and post the code here just in case anyone wants to have a play. Give me a week or so as were quite busy at the moment.

 

Back to Top
Marco View Drop Down
Senior Member
Senior Member
Avatar

Joined: 07 June 2005
Location: Netherlands
Status: Offline
Points: 137
Post Options Post Options   Thanks (0) Thanks(0)   Quote Marco Quote  Post ReplyReply Direct Link To This Post Posted: 22 August 2006 at 11:11am

i advise you to be very  'paranoid' when giving out code and explaining how you do it *in public*  im convinced some of the registered users here are indeed spammers. Topics have been started on this subject before, just be aware.

 

Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams
Back to Top
vrspock View Drop Down
Newbie
Newbie
Avatar

Joined: 31 May 2005
Location: United States
Status: Offline
Points: 16
Post Options Post Options   Thanks (0) Thanks(0)   Quote vrspock Quote  Post ReplyReply Direct Link To This Post Posted: 22 August 2006 at 2:00pm

I agree, caution is definetly in order on here with regards to our methods of dealing with the constant flow of spam.

I have thought about using our mail server's own anti-spam features in combination with spamfilter to do something similar, but the whole point of the authorizedto list is to reduce the number of hits we get from people who are blind spamming using lists that are populated with a bunch of non-existant mailboxes.  By not getting an NDR, they assume that their list is good and will continue using it.

On a side note, I did find something kind of humerous on the web with regards to email scavenging.  It was a .asp script that allowed for the random and dynamic generation of an infinite number of cross-linked pages filled with fake email addresses...it'd keep dishing them out as long as the scavenging program kept scanning for them.



Edited by vrspock
Back to Top
pcmatt View Drop Down
Senior Member
Senior Member
Avatar

Joined: 15 February 2005
Location: United States
Status: Offline
Points: 116
Post Options Post Options   Thanks (0) Thanks(0)   Quote pcmatt Quote  Post ReplyReply Direct Link To This Post Posted: 22 August 2006 at 3:45pm

SpamFilter should facilitate the the flow of good email while blocking the spam.  When the recipient list is not processed completely, the software falls short of this objective.  The difference is SpamFilter needs to potentially make more than one outbound connection to deliver an email message. I thought all email servers did this anyway for outbound email and SpamFilter should be no different as it now supports authenticated outbound and relayed email.

1. SpamFilter currently sends a single NDR on a failure of one or more spam checks per the ini settings.  That single NDR SpamFilter can send per config is the only NDR SpamFilter should continue to send; there is never more than ONE SENDER to report an NDR to.

2. SpamFilter does not need to send multiple NDR's in this case. One NDR is generated if a virus or spam test fails AND the configuration determines whether or not to send NDR for that failure.  The text "relay or delivery to one or more recipients failed" along with the failed recipient list SHOULD be included in the NDR message when one or more recipients in a multiple recipient email is processed and NDR is supposed to be sent.

3.  There is no email splitting.  It's a matter of issuing one connection for each authorized domain when sending out and issuing one rcpt to: command for each recipient in the connected domain.  Copies of an email are sent to forwardable recipient domains.  Forwardable recipient domains are defined as those that do not fail a spam test and whose domain is in the list of allowed domains.

4.  The recipient list SHOULD be sorted by domains and sent in a loop to recipients (rcpt to:) grouped by domains (connections per authorized domain list).

5. If there are recipients in the headers that are not in the allowed domains; they are irrelavant and are ignored.  Spamfilter would have ALREADY refused those rcpt to: commands when the message was received.  SpamFilter could always build it's own alternate recipient x-header based on the rcpt to: commands it accepted on the inbound email receive.

So, in summary, with all of the flexible and powerful features already in this program; adding a feature that provides greater degree of accuracy is an intelligent direction for the product to take. I'm sure I'm missing a bit and overlooking a few gotchas in my ideas above, but this recipient accuracy feature deserves more consideration.

-Matt

-Matt R
Back to Top
StevenJohns View Drop Down
Senior Member
Senior Member


Joined: 03 August 2006
Status: Offline
Points: 119
Post Options Post Options   Thanks (0) Thanks(0)   Quote StevenJohns Quote  Post ReplyReply Direct Link To This Post Posted: 22 August 2006 at 4:23pm

>>>>Vrspock...By not getting an NDR, they assume that their list is good and will continue using it.

 

I disagree. 99.9999% of spammers don't use conventional SMTP servers to send their spam. The programs that they use completely ignore conventional denials in the smtp conversation i.e. they ignore the "550 unknown recipient" reply. Also, do you honestly think that they send a real email address in the "Mail From:" header? Do you think that they actually pickup the NDR's that are sent?  err...no.

 

After careful investigation of our logs, it is clear to me that by SF accepting the mail, then our systems re-writing the "RCPT TO:" header (hence dropping the recipients that don't exist or don't want spam) we are not getting any more spam attempts than we used to get. Therefore, the spammers aren't sending us even more spam just because we accepted the first email and didn't send an NDR.

 

This subject is obviously up for debate, but our opinion is that we will block spam from getting to our customers inbox because that's what they pay us to do (apart from the occasional paranoid user who insists on an unfiltered inbox...).

Each of you must do what you feel is right for you. This is right for us.

 

Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 22 August 2006 at 6:52pm
Matt,

As usual you have valid points. We are preparing (trying to) a new version (SpamFilter Entrprise) that will have a major new feature. Customizing *all* filters on a per-domain basis, and, on a more limited scale, per user. As part of this, we're changing *some* of the ways that emails are being forwarded, also to improve the issues with multiple recipients when there are whitelisted users.

As you said, there are "gotchas", and things that we will definetly not change. The most important one is that we will always be receiving an email completely, disconnecting the sender, and then forwarding the email to the destination SMTP server. But perhaps the most important thing that we were already working on are your points #2 & #4.

Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
WebGuyz View Drop Down
Senior Member
Senior Member


Joined: 09 May 2005
Location: United States
Status: Offline
Points: 348
Post Options Post Options   Thanks (0) Thanks(0)   Quote WebGuyz Quote  Post ReplyReply Direct Link To This Post Posted: 22 August 2006 at 7:20pm

Originally posted by LogSat LogSat wrote:

Matt,

As usual you have valid points. We are preparing (trying to) a new version (SpamFilter Enterprise) that will have a major new feature.

YES!!!

http://www.webguyz.net
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.094 seconds.